What are examples of spear phishing attacks used in Canada?
Spear phishing is an email attack that is designed to look and read as though it has been sent from a trusted source or from someone in a position of power. The email encourages the recipient to open an attachment or click on a link. The act of opening an attachment or clicking on a link then transmits malware to the user's computer.
Spear phishing attacks often target a specific organization or individual in an attempt to gain unauthorized access to sensitive information. Spear phishing emails are highly targeted and designed to advance a criminal’s agenda, whether for financial gain or access to trade secrets. The email might even appear to be coming from your boss and be crafted in a tone that resembles your boss. For example, a CFO may receive an email purporting to be from the CEO asking that they transfer money to a certain account.
Canadian organizations have proven to be at risk due to the ubiquitous use of technology. The speed at which businesses have become technologically reliant has exposed weaknesses to foundational IT operations. In addition, many businesses transition to an online platform without proper knowledge of or preparation for the threats that await them.
IBM has reported on cybercriminals, likely operating out of Ukraine, that have been targeting Canadian businesses with customized phishing attacks. The attacks were designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords and two-factor authentication codes. The goal of this targeted phishing attack was to take the account over and transfer money to mule accounts that were controlled by the criminals. Like other attacks the first step was a sophisticated spear phishing email sent to very specific senior employees with content that appeared legitimate, including bank logos.
City of Ottawa Spear-Phishing Attack
An example of a spear-phishing attack in Canada involved an executive at the City of Ottawa. Marion Simulik, City Treasurer, was targeted and tricked into sending more than $100,000 to a fraudster in the United States. She did so in response to what she thought was a legitimate request from the city manager to pay a supplier. Simulik reached out to the supplier to verify the details, and over the course of a few hours they emailed back and forth. Simulik then sent what she thought was the fulfillment of a legitimate payment request. Revelling in their success, the cyber bad guy reached out to Simulik a second time a few days later, pretending once again to be the city manager and requested that she pay an additional $150,000 to the same supplier. Thankfully, the second request came at a time when Simulik was with the city manager and she asked him about the payment. Once they realized that the email was a phishing attack, the Ottawa police were contacted. In a fortunate turn of events, the fraudsters transferred the original payment from one US account to a second US account which was being watched by the US secret service. Within a month, the US authorities reached out to the City of Ottawa to inform them that they were victims of cybercrime (which they already knew). Given that the second account was being monitored, there is a good chance that the City of Ottawa will get some of their money back. Simulik, a well-respected senior public servant, was shaken by the incident. She gave a statement to city council in which she stated: "That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally."
The key to a successful spear phishing attack is personalization. The personalization is also known as social engineering. As previously mentioned, in most spear phishing attacks, the apparent source of the email is often someone in a position of authority within the recipient's own organization—or someone that the target knows of personally. The ultimate success of a spear phishing attack requires the following factors:
- The apparent source is a known and trusted individual
- Information within the message supports its validity
- The request makes sense
Prior to sending the email, the attacker gathers information about the target in order to personalize the spear-phishing attack. This personalization makes malicious emails seem more trustworthy. The attackers may spend months gathering information about the intended target before actually sending the email.
Social engineering is most common in emails, but similar attacks can also be done over the phone or in person. In each case, the criminal will present themselves with confidence and authority, and will be very well prepared and knowledgeable of you and your company.
Personalization makes malicious emails seem more trustworthy.
How Spear Phishing Works
Criminals can gather information about a target from their social media accounts, primarily LinkedIn or other business networking platforms, to build a comprehensive understanding of a company’s staff and its immediate networks.
They usually target someone in the company at an administrative level, and pose as an authority figure that they don’t have much day-to-day interaction with. By posing as legitimate figure and coupled with a tone of urgency, these emails prompt the target to act fast without giving the matter a sober second thought.
Security Awareness Training
In the absence of a cyber security awareness protocol, it's possible for spear phishing to happen a number of times through the same person. Once the criminal has established communication and has succeeded in their first attack, they are in a good position to continue to target the same person because now they have that employee’s trust.
Security awareness training reduces the likelihood of a user falling for spear-phishing tactics. This training should educate staff on how to spot suspicious email domains or links, as well as being aware of tell-tale wording in the messages and the information that may be requested in the email.
It is also important for businesses to educate their employees about social media activity vulnerabilities. What are they posting on their social media accounts? Are they unknowingly revealing sensitive information on public platforms that can be used by criminals to exploit their trust?
Employees at every level should be trained to recognize suspicious emails or phone calls. That email from the CFO requesting a money transfer to another account? Maybe you should confirm directly with the CFO before you take any steps. Spear fishing in Canada is a growing concern but with cyber security education you can minimize your risk exposure.
The best defence against spear phishing attacks is ongoing education through security awareness training. To book a cybersecurity session for your team, get in touch with CITI.